qqpass | 31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe
Size

84KB
MD5

43321069d47fbc0971f2679d177c02d5
SHA1

4e83b771bd805a7ddb3c09a4b5a1085833b22500
SHA256

31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc
SHA512

46dad3c69097b80d180bfc214711d5d164577fa4914081ad4d78ad69f5f1f8ff37bc4a0594456d4fedbfa0576eededb58f907f02a03c7f4b7aac3f10781b5a00
SSDEEP

1536:Kc5OSJHk5rzX+KXNuAKf61xY6L+1qHpUq3VC8AaO7y/4iWT+/SAPpzlS1pG9btnM:KNkkRpXNNY61vZJUq3pi7y/4b+/hPpkf

Score

10^/10

qqpass discovery trojan upx

Malware Config

Extracted

Family

qqpass

http://cf.qq.com/act/a20141214luxury/?ADTAG=client.btn.detail

Attributes

url
http://i3.tietuku.com/801db876cdcaa96c.png
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

QQpass
QQpass is a trojan written in C++..
trojan qqpass
Qqpass family
qqpass

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe

Deletes itself 1 IoCs

pid	Process
4588	Sysceamlvfrx.exe

Executes dropped EXE 1 IoCs

pid	Process
4588	Sysceamlvfrx.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2644-0-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/files/0x000700000001e6c0-10.dat	upx
behavioral2/memory/2644-41-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4588-42-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sysceamlvfrx.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe
4588	Sysceamlvfrx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 4588	2644	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe	89
PID 2644 wrote to memory of 4588	2644	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe	89
PID 2644 wrote to memory of 4588	2644	31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe	89

C:\Users\Admin\AppData\Local\Temp\31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe
"C:\Users\Admin\AppData\Local\Temp\31ac63986892136dfbcfe6a88f7bb28dc68ea572f01dbc97a67025a03d2a22dc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\Sysceamlvfrx.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamlvfrx.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sysceamlvfrx.exe

Filesize
84KB

MD5
859e2381ce842b8dc6c267aea62cf01f

SHA1
85704f0e780758dec4d4a4bacbc7f18046b8239c

SHA256
a08b7fcc3bfaa6ffa7b1296939bcf161c8d948e3ba87cf16a060e79ed34c2081

SHA512
88cca7f50b9754cf0b8a262ae2b57c6008c98cf62c854a3c02a72e46a50b75d570abf779dae6ca14eea990dacd5ea184a9314c4167fe673bb6bfc5b0b2143296

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
102B

MD5
4eb94b01969fa28c09b2dbc2b33f40e9

SHA1
9168e91a470436b037a20f0e3c52f0bf9129b298

SHA256
178fe12fb6f34eeebea665e76f7a3dd3ddf78c7671bd467680b6e1dfc5fa3986

SHA512
ac3d0fd76e700d0a70a0f5c8ccbf9d97c412d0a613d6e0e5d7c3b3f66accf8a93c3ae6438a3dea3289a468e3894c8366ff835e8ecd72ed3487c2bf754cd3a2cf

Download Submit
memory/2644-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2644-41-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4588-42-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download